How Did the Capital One Breach Happen?
On July 29th, 2019, Capital One released a public statement declaring that their system had been breached. A single hacker accessed the personal information of more than 100 million accounts.
By some estimates, this breach is expected to cost the company upwards of 150 million dollars. The damage to Capital One’s reputation may be harder to quantify.
So, how did such a disastrous breach happen?
Cloud Security Meets Human Error
As is the case with most breaches and hacks, there was some element of human error at play. One hacker infiltrated a system that had been set up by one employee. That system had a misconfigured firewall, which allowed the hacker to access the data.
How was the firewall misconfigured?
The firewall was assigned more permissions than it was supposed to have. It was allowed to list and read the contents of the files in any of the buckets of data on the server.
This was not supposed to happen.
There are a host of “if onlys” throughout this case that make it a particularly effective cautionary tale:
· If only that firewall had been set up properly, it would have prevented the access that the hacker exploited.
· If only there had been oversight of the employee responsible for setting up the system.
· If only someone was running penetration tests or other system analyses, this would not have happened…
You get the picture. A perfect storm of malice, incompetence, and poor training led to disaster for Capital One.
The Role of AWS in the Capital One Breach
Human error wasn’t the only factor in play. The data storage practices of Amazon Web Services (AWS) also contributed.
AWS is an Amazon-owned cloud computing platform—the largest and most profitable service of its kind. The Capital One firewall that was breached was stored on AWS.
While a faulty firewall is itself a cause for alarm, even more disturbing is that the person responsible for the breach:
The hacker, Paige Thompson (aka “Erratic”), was a former employee of AWS! She had worked for Amazon in 2017 and 2018. During that time, she made elaborate social media posts about her intentions to perpetrate the breach.
AWS released a statement announcing that Thompson had no privileged information allowing her access. Nevertheless, her employment at Amazon raises some alarming questions. She understood the system, its vulnerabilities, and ways to exploit them. Her knowledge was specialized and specifically related to the system she ultimately infiltrated.
If other AWS employees (or former employees) have intentions to engage in black hat hacking, how easily could they do that? For that matter, if any outside vendor is hosting your data, how vulnerable is that data to its employees?
The slightest lapse in updates, lack of oversight, or failure to encrypt can lead to similar breaches. Vendors matter!
Because this incident happened so recently, Capital One is still feeling the repercussions. It isn’t yet possible to know the full extent of the damage done to the company, but so far:
· According to reports, consumer confidence in the company—which plummeted in the wake of the breach—has remained low and is not expected to increase over the next several quarters.
· Revenues are expected to decrease by at least 3% over the next three years.
· Forbes magazine predicts that Capital One will incur an additional cost of $150 million this year and next year, and another $200 million in 2021 as a result of the breach.
· Net income for the company will decrease by nearly 20% by 2021.
· Capital One stocks have plummeted from over $100/share before the incident, to around $85/share today.
The company hired a Director of Cloud Security to prevent future such breaches. They also made an effort at controlling their losses, but the damage seems to have been done. If any good has come from the Capital One breach, it’s the excellent real-life lesson on the importance of diligent oversight and the need to have a vendor you can trust.
Subscribe to our blog to learn more about current events related to cloud security! Or follow the links below to see what else we’ve written lately.